Snort mailing list archives

Heavy ICMP Traffic

From: "Brian M. Diehl" <bdiehl () a1limo com>
Date: Mon, 4 Nov 2002 14:58:54 -0500

        I have snort on a newly installed rh7.3 box, its been running for this weekend and i found some really 
intresting things in the alert log.  I haven't been able to find info in the archives.  They are  sadly 2 win2k boxes 
running, and i'm seeing this betweent the two of them.

[**] ICMP L3retriever Ping [**]
11/02-01:17:16.078236 xxx.xxx.217.53 -> 192.168.2.4
ICMP TTL:28 TOS:0x0 ID:4402 IpLen:20 DgmLen:60
Type:8  Code:0  ID:512   Seq:9278  ECHO
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

the .53 is an external address for one of my boxes, and obviously the 2.4 address is NAT'd for a box with no external 
addy and is a win2k PDC. I have a roughly 20 meg log file for this particar incident.  Does anyone know what this is?  
Is this "normal" windows crap?  the odd thing is i'm not seeing a reply from 2.4 to .53....

TIA!

Brian.
bdiehl () a1limo com


-------------------------------------------------------
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Heavy ICMP Traffic Brian M. Diehl (Nov 04)
- Re: Heavy ICMP Traffic Nicholas Bachmann (Nov 04)
- <Possible follow-ups>
- RE: Heavy ICMP Traffic Hicks, John (Nov 04)
- RE: Heavy ICMP Traffic Brian M. Diehl (Nov 04)
- RE: Heavy ICMP Traffic Brian M. Diehl (Nov 04)